Last Week in Security (LWiS) - 2024-10-21

VNC-Like over SCCM (@netero_1010), Use LLMs to find CVEs (@ProtectAICorp), New process 💉 technique (@OutflankNL), 💰 Big acquisition (@Sophos), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-10-14 to 2024-10-21.

News

Techniques and Write-ups

Tools and Exploits

  • SCCMVNC - A tool to modify SCCM remote control settings on the client machine, enabling remote control without permission prompts or notifications. This can be done without requiring access to SCCM server.
  • Secure_Stager - An x64 position-independent shellcode stager that verifies the stage it retrieves prior to execution.
  • rigour - A rigorous IoT scanner based on Shodan.io
  • vulnhuntr - Vulnhuntr leverages the power of LLMs to automatically create and analyze entire code call chains starting from remote user input and ending at server output for detection of complex, multi-step, security-bypassing vulnerabilities that go far beyond what traditional static code analysis tools are capable of performing.
  • AuthzAI - An automated tool to test and analyze API endpoints for potential permission model violations using OpenAI structured outputs.
  • rflasermic - From DEFCON32 - RF-modulated high fidelity laser microphone and keystroke sniffer
  • LsassReflectDumping - This tool leverages the Process Forking technique using the RtlCreateProcessReflection API to clone the lsass.exe process. Once the clone is created, it utilizes MINIDUMP_CALLBACK_INFORMATION callbacks to generate a memory dump of the cloned process.
  • CVE-2024-43532 - PoC of CVE-2024-43532 by Akamai Security Research
  • DarkWidow - Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing.
  • emulator - 🪅 Windows User Space Emulator. A high-performance Windows process emulator that operates at the syscall level, providing full control over process execution through comprehensive hooking capabilities.
  • servicelens - ServiceLens is a Python tool for analyzing services linked to Microsoft 365 domains. It scans DNS records like SPF and DMARC to identify services, categorizing them into Email, Cloud, Security, and more.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • ghostport - A high-performance port spoofing tool built in Rust. Confuse port scanners with dynamic service emulation across all ports. Features customizable signatures, efficient async handling, and easy traffic redirection.
  • venator - A flexible threat detection platform that simplifies rule management and deployment using K8s CronJob and Helm, but can also run standalone or with other job schedulers like Nomad.
  • openvmm - Home of OpenVMM and OpenHCL.
  • zerox - A dead simple way of OCR-ing a document for AI ingestion. Documents are meant to be a visual representation after all. With weird layouts, tables, charts, etc.
  • Query WinGet software installer data with PowerShell - Don't sleep on WinGet! It's a great way to install software on Windows.
  • saml2aws - CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
  • GoReSym - Go symbol recovery tool
  • BitNet - Official inference framework for 1-bit LLMs
  • Nuitka - Nuitka is a Python compiler written in Python. It's fully compatible with Python 2.6, 2.7, 3.4-3.12. You feed it your Python app, it does a lot of clever things, and spits out an executable or extension module.
  • RustHound-CE - Active Directory data ingestor for BloodHound Community Edition written in Rust. 🦀

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.